admin: add option to declare roles are managed by identity provider (#13789)
This commit is contained in:
parent
6cc90e31a9
commit
b254184559
|
@ -2489,6 +2489,36 @@ def test_users_edit_edit_account(pub):
|
|||
assert PasswordAccount.has_key('foo')
|
||||
assert PasswordAccount.get('foo').user_id == user.id
|
||||
|
||||
def test_users_edit_with_managing_idp(pub):
|
||||
create_role()
|
||||
pub.user_class.wipe()
|
||||
pub.cfg['sp'] = {'idp-manage-user-attributes': True}
|
||||
pub.write_cfg()
|
||||
PasswordAccount.wipe()
|
||||
create_superuser(pub)
|
||||
user = pub.user_class(name='foo bar')
|
||||
user.store()
|
||||
|
||||
app = login(get_app(pub))
|
||||
resp = app.get('/backoffice/users/%s/' % user.id)
|
||||
assert '>Manage Roles<' in resp.body
|
||||
resp = resp.click(href='edit')
|
||||
assert not 'email' in resp.form.fields
|
||||
assert 'roles$added_elements' in resp.form.fields
|
||||
|
||||
pub.cfg['sp'] = {'idp-manage-roles': True}
|
||||
pub.write_cfg()
|
||||
resp = app.get('/backoffice/users/%s/' % user.id)
|
||||
assert '>Edit<' in resp.body
|
||||
resp = resp.click(href='edit')
|
||||
assert 'email' in resp.form.fields
|
||||
assert not 'roles$added_elements' in resp.form.fields
|
||||
|
||||
pub.cfg['sp'] = {'idp-manage-roles': True, 'idp-manage-user-attributes': True}
|
||||
pub.write_cfg()
|
||||
resp = app.get('/backoffice/users/%s/' % user.id)
|
||||
assert not '/edit' in resp.body
|
||||
|
||||
def test_users_delete(pub):
|
||||
pub.user_class.wipe()
|
||||
PasswordAccount.wipe()
|
||||
|
|
|
@ -322,6 +322,8 @@ def test_configure_authentication_methods():
|
|||
|
||||
assert len(pub.cfg['idp'].keys()) == 1
|
||||
assert pub.cfg['saml_identities']['registration-url']
|
||||
assert pub.cfg['sp']['idp-manage-user-attributes']
|
||||
assert pub.cfg['sp']['idp-manage-roles']
|
||||
|
||||
def test_deploy():
|
||||
cleanup()
|
||||
|
|
|
@ -25,7 +25,7 @@ from qommon.backoffice.listing import pagination_links
|
|||
from wcs.roles import Role
|
||||
|
||||
import qommon.ident
|
||||
from qommon.ident.idp import is_idp_managing_user_attributes
|
||||
from qommon.ident.idp import is_idp_managing_user_attributes, is_idp_managing_user_roles
|
||||
from qommon.form import *
|
||||
from qommon.admin.emails import EmailsDirectory
|
||||
from qommon.backoffice.menu import html_top
|
||||
|
@ -54,8 +54,9 @@ class UserUI(object):
|
|||
formdef.add_fields_to_form(form, form_data = self.user.form_data)
|
||||
form.add(CheckboxWidget, 'is_admin', title = _('Administrator Account'),
|
||||
value = self.user.is_admin)
|
||||
|
||||
roles = list(Role.select(order_by='name'))
|
||||
if len(roles):
|
||||
if len(roles) and not is_idp_managing_user_roles():
|
||||
form.add(WidgetList, 'roles', title = _('Roles'), element_type = SingleSelectWidget,
|
||||
value = self.user.roles,
|
||||
add_element_label = _('Add Role'),
|
||||
|
@ -214,9 +215,9 @@ class UserPage(Directory):
|
|||
r = TemplateIO(html=True)
|
||||
r += htmltext('<ul id="sidebar-actions">')
|
||||
|
||||
if is_idp_managing_user_attributes():
|
||||
if is_idp_managing_user_attributes() and not is_idp_managing_user_roles():
|
||||
r += htmltext('<li><a href="edit">%s</a></li>') % _('Manage Roles')
|
||||
else:
|
||||
elif not (is_idp_managing_user_attributes() and is_idp_managing_user_roles()):
|
||||
r += htmltext('<li><a href="edit">%s</a></li>') % _('Edit')
|
||||
r += htmltext('<li><a href="delete" rel="popup">%s</a></li>') % _('Delete')
|
||||
|
||||
|
|
|
@ -215,6 +215,7 @@ class CmdCheckHobos(Command):
|
|||
if not pub.cfg.get('sp'):
|
||||
pub.cfg['sp'] = {}
|
||||
pub.cfg['sp']['idp-manage-user-attributes'] = bool(idps)
|
||||
pub.cfg['sp']['idp-manage-roles'] = bool(idps)
|
||||
pub.write_cfg()
|
||||
|
||||
if not idps:
|
||||
|
|
|
@ -48,6 +48,9 @@ ADMIN_TITLE = N_('SAML2')
|
|||
def is_idp_managing_user_attributes():
|
||||
return get_cfg('sp', {}).get('idp-manage-user-attributes', False)
|
||||
|
||||
def is_idp_managing_user_roles():
|
||||
return get_cfg('sp', {}).get('idp-manage-roles', False)
|
||||
|
||||
def get_file_content(filename):
|
||||
try:
|
||||
return open(filename,'r').read()
|
||||
|
@ -844,6 +847,10 @@ class MethodAdminDirectory(Directory):
|
|||
title = _('IdP manage user attributes'),
|
||||
value = get_cfg('sp',{}).get('idp-manage-user-attributes', False))
|
||||
|
||||
form.add(CheckboxWidget, 'idp-manage-roles',
|
||||
title = _('IdP manage roles'),
|
||||
value = get_cfg('sp',{}).get('idp-manage-roles', False))
|
||||
|
||||
form.add_submit('submit', _('Submit'))
|
||||
form.add_submit('cancel', _('Cancel'))
|
||||
if x509utils.can_generate_rsa_key_pair():
|
||||
|
@ -920,7 +927,8 @@ class MethodAdminDirectory(Directory):
|
|||
'saml2_providerid', 'saml2_base_url', 'common_domain_getter_url',
|
||||
'grab_user_with_id_wsf', 'identity-creation',
|
||||
'authn-request-signed', 'want-assertion-signed',
|
||||
'idp-manage-user-attributes'):
|
||||
'idp-manage-user-attributes',
|
||||
'idp-manage-roles'):
|
||||
if form.get_widget(k):
|
||||
cfg_sp[k] = form.get_widget(k).parse()
|
||||
|
||||
|
|
Loading…
Reference in New Issue